Bugtraq mailing list archives

Re: Password Generation during RH Linux 6.x Installation

From: escher () SPOILED ORG (Fabian Kroenner)
Date: Thu, 8 Jun 2000 20:56:38 +0200


On Wed, Jun 07, 2000 at 11:21:42AM -0400, William R. Lorenz wrote:

It seems as though, when entering a root password during RH Linux 6.x
installation, the generated password, stored in the shadowed passwords file
(/etc/shadow) does not contain a salt.  This has occured on three separate
machines, and after the root password is changed using the `passwd` command,
the salt is included in the encrypted password, as it should be.  Can anyone
confirm this observation and provide more details?  Thanks, in advance.


The issue has been reported to Red Hat in Oct 1999, and to BugTraq in
Jan 2000. If affects the installer in Red Hat 6.0 & 6.1. The root
password set during installation is never using MD5 encryption, but
plain-old crypt(3) instead. It does not affect user-accounts generated
during install.

Changing the root password after installation is highly recommended on
Red Hat Linux 6.0 & 6.1. Red Hat has not issued an official advisory
on this.

See also:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=5542
http://www.securityportal.com/list-archive/bugtraq/2000/Jan/0273.html

Regards...
Fabian
__________________________________________________________________
pub 1024D/19AB6A00 1999-12-14 Fabian Kroenner <escher () spoiled org>
key fingerprint: 2311 6D40 FE1F 9D94 77AD 20CA 2F38 AD9E 19AB 6A00

Current thread:

Re: An Analysis of the TACACS+ Protocol and its Implementations Juan M. Courcoul (Jun 01)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Eccentric (Jun 01)
  - HP Security vulnerability in the man command Jason Axley (Jun 02)
    - MDMA Advisory #5: Reading of CGI Scripts under Savant Webserver Drew (Jun 05)
    - Re: HP Security vulnerability in the man command Theo de Raadt (Jun 05)
    - Re: HP Security vulnerability in the man command Philipp Buehler (Jun 06)
    - Password Generation during RH Linux 6.x Installation William R. Lorenz (Jun 07)
    - Re: Password Generation during RH Linux 6.x Installation Fabian Kroenner (Jun 08)
    - Re: HP Security vulnerability in the man command V. T. Mueller (Jun 07)
  - Re: An Analysis of the TACACS+ Protocol and its Implementations Dylan (Jun 02)
  - Microsoft Security Bulletin (MS00-037) Microsoft Product Security (Jun 02)
- Re: An Analysis of the TACACS+ Protocol and its Implementations Fyodor (Jun 01)